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Substitution-box for symmetric-key ciphers 



The invention relates to cryptographically converting an input data block into 
an output data block using a non-linear operation in the form of a Substitution-box (S-box) 
based on a set of permutations. 

The application of cryptography in the area of copyright protection of digital 
5 audio and/or video is becoming increasingly important. These applications include contents 
encryption/decryption and access management functions. For such applications the well- 
known block cipher DES can be used. DES is a Feistel cipher consisting of sixteen rounds. In 
each round, first the 32 bits of the right half of the data are expanded to 48 bits. Next, an 48 
bit round key, which is computed from a 56 bit DES key with a scheduling algorithm, is bit- 

1 0 wise added modulo two to these 48 bits. Then a layer of S-boxes performs a non-linear 
operation on the data. In DES, the S-box layer consist of eight six-to-four bit S-boxes in 
parallel, i.e. each of the S-boxes converts a 6-bit input block into a 4-bit output block using 
one fixed mapping table per S-box. The output of the S-box layer is a 32 bit data block on 
which a bit-permutation is performed. The S-box substitution is the only non-linear operation 

1 5 in DES and contributes highly to its security. A drawback of DES is its small key size of 56 
bits, which is considered to be insufficient nowadays for offering a high level of security. 
However, an exhaustive key search can be avoided by using a longer key combined with a 
different key scheduling algorithm for computing the sixteen 48-bit round keys. The two 
most powerful attacks on DES published in the open literature are differential and linear 

20 cryptoanalysis, which are general attacks that can be applied to a wide range of block ciphers. 
It has been shown that DES can not be strengthened much against these attacks by modifying 
the key length and/or the key scheduling algorithm. However, changes in the round function 
of the algorithm (e.g. in the S-boxes) can influence its strength against these attacks 
considerably. 

25 It is an object to design S-boxes with good cryptographic characteristics. It is a 

further object that such S-boxes can be efficiently implemented in hardware and software 
allowing a broad use in consumer electronic applications. 

To meet the object of the invention, the permutation for the S-box is 
dynamically selected from a predetermined set of permutations. Preferably, each permutation 
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in the set is chosen to provide optimal resistance against known attacks, in particular 
differential and linear cryptoanalysis. By choosing the permutations (pseudo-)randomly the 
system can be made cryptographically stronger than a system in which each S-box consists of 
only one fixed permutation. Selection of a permutation from a set can be executed fast and 
5 cost-effectively. 

As defined in the measure of the dependent claim 2, and further elaborated in 
the dependent claims 3 and 6, a cryptographic weakness in one of the permutations is 
compensated by a corresponding strength in at least one of the other permutations of the set. 
The weakness may, for instance, be reflected in a non-trivial differential and/or linear 
1 0 characteristic having a predetermined maximum probability. An advantage of this approach 
is that an adversary can not base a differential or linear attack on these characteristics without 
making assumptions on the unknown (round) key(s). 

As defined in the measure of the dependent claim 4, the weakness is fully 

compensated. 

1 5 As defined in the measure of the dependent claim 1 0, the selection of the 

permutation is preferably performed under control of a round key. The algorithm generating 
the round keys (i.e. the key scheduling algorithm) can be chosen to obtain a desired degree of 
pseudo-randomness. An advantage for using round keys for the selection is that the 
permutation is selected from the set during the computation of the round keys. For efficiency 

20 reasons, this is usually and preferably done once for each key and all data that has to be 

processed (e.g. encrypted) with this key. In this way the encryption/decryption algorithm can 
be as efficient as a system based on S-boxes consisting of only one fixed permutation for 
each S-box, 

These and other aspects of the invention will be apparent from and elucidated 
25 with reference to the embodiments shown in the drawings. 



Fig. 1 shows one round of a cipher incorporating the non-linear operation; 
Fig. 2 illustrates the steps of the round function; and 
30 Fig. 3 provides details of the S-box layer of the round function. 



For the purpose of explaining the invention, the cryptographic system is 
described as a block cipher in the Electronic Codebook (ECB) mode. Persons skilled in the 
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art will be able to use the system in other modes as well. These include the standard FIPS 
modes of operation for DES, i.e. the Cipher Block Chaining (CBC), the Cipher Feedback 
(CFB) and the Output Feedback (OFB) mode of operation. In addition, the system can also 
be used in well-known constructions for pseudo-random number generators, Message 
5 Authentication Codes (MACs) and Manipulation Detection Codes (MDCs). 

The cryptographic apparatus comprises an input for obtaining a digital input 
block. The digital input block M may be any suitable size. The apparatus further comprises a 
cryptographic processor for converting the digital input block into a digital output block. 
Advantageously, the digital output block has substantially equal length as the digital input 

10 block. The apparatus comprises an output for outputting the digital output block. In a 

preferred embodiment, the cryptographic processor converts the digital input block into the 
digital output block by merging the digital input block with key bits, producing the output 
block which non-linearly depends on the input block and the key. To obtain the key (or an 
initial key feeding a key scheduler), the cryptographic apparatus comprises a second input. It 

15 will be appreciated that the cryptographic apparatus may be implemented using a 

conventional computer, such as a PC, or using a dedicated encryption/decryption device. The 
digital input block may be obtained in various ways, such as via a communication network, 
from a data storage medium, such as a harddisk or floppy disk, or directly being entered by a 
user. Similarly, the digital output block may be output in various ways, such as via a 

20 communication network, stored on a data storage medium, or displayed to a user. Preferably, 
secure means are used to this end. The cryptographic processor may be a conventional 
processor, such as for instance used in personal computers, but may also be a dedicated 
cryptographic processor. The processor is usually operated under control of a suitable 
program (firmware) to perform the steps of the algorithm according to the invention. This 

25 computer program product is normally loaded from a background storage, such as a harddisk 
or ROM. The computer program product can be stored on the background storage after 
having been distributed on a storage medium, like a CD-ROM, or via a network, like the 
public Internet. Sensitive information, like an encryption key, is preferably distributed and 
stored in a secure way. Techniques for doing so are generally known and not described 

30 further. The cryptographic apparatus may, in part or in whole, be implemented on a smart- 
card. 

The non-linear operation of the S-box according to the invention performed by 
the cryptographic processor will be described in the form of a round function/in a block 
cipher as an exemplary application. In itself persons skilled in the art will be able to use the 
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non-linear function in other cryptographic systems as well, and in other ciphers than the one 
described in detail below. 

Notations and definitions; 

The following notation is used in the description of the exemplary algorithm. 
5 Let Zi be the set of all binary vectors of length n (n > 1 ) with the addition © : Z 2 n x Z 2 n -» 
Z 2 n , which is defined as a coordinate-wise addition modulo 2 (also referred to as an 
exclusive-or, or XOR). For example, (1,0,1,0) and (0,1,1,0) are elements of Z2 4 and (1,0,1,0) 
© (0,1,1,0) = (1,1,0,0). If n is even and x e Z 2 n , then x (L) e Z^ 1 and x (R) e Z^ 1 are defined 
as the left and the right half of x respectively. For example, if x = (1,0,1,1,0,0,1,0) e Z2 8 , then 
10 x (L) - (1,0,1,1) e Z 2 4 and x (R) = (0,0,1,0) e Z 2 \ The symbol || is used to denote a 

concatenation of vectors, e.g. x = (x (L) || x (R) ). The elements (also called bits) of a vector x e 
Zz are numbered from zero to n-1 from the left to the right, i.e. x (xo,Xi,X2, ... ,x n _i). The 
inproduct • : Z 2 n x Z 2 n -> Z2 is defined as x • y = Zi=o,i, ... , n-i xiy* e Z 2 for all x,y € Z2 11 . 

Block cipher structure: 

1 5 The exemplary block cipher is a Feistel cipher and consists of sixteen rounds 

(like DES). The block length equals 64 bits and the key length equals 128 bits. Encryption in 
Electronic Codebook (ECB) mode of a plain text X e Z 2 64 into its cipher text C e Z2 64 under 
the key Ke Z^ 28 is denoted by C = E(K,X). 

The round function is denoted by / and is a mapping from Z2 40 x 5^ 32 to Z2 32 . 

20 This round function incorporates the non-linear S-box operation of the invention and will be 
described in more detail below. The first input argument of the round function is the round 
key K t e Z 2 40 (where i indicates the round number, i = 1, 2, 16). These round keys are 
computed from the 128 bit key K with a so-called key scheduling algorithm. Any suitable 
key scheduling algorithm may be used and is not described in detail. The second input 

25 argument is the right half of the intermediate result after round i. This intermediate result is 
denoted by X* € Z 2 64 (i=0,l, ... ,16) with X =: (X 0 (R) (| X 0 (L) ). 

With this notation the computation of the cipher text C € Z 2 64 consists of the 
following steps, as illustrated in Fig. 1 : 

1. Compute Xi (R) - X^ ©/K 1? Xj K) ) and set X t (L) = X M (R) for i = 1,2, ... 

30 ,15. 

2. Compute Xi 6 (L) = Xi 5 (L) © AKi 6 , Xi 5 (R) ) and set X i6 (R) = X l5 (R) . The cipher 
text is defined as C := (X 16 (L) || Xi 6 (R) ) 
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Fig. 1 A shows the cipher structure used for the first fifteen rounds (i = 1, 2, 
15). Fig. IB shows the last, sixteenth round. Note the irregular swap in Fig.lB compared to 
the previous rounds of Fig. 1 A. This is usually done in Feistel structures, because in this case 
the decryption algorithm (i.e. computing X = E _i (K,C)) is the same as the encryption 
5 algorithm (with the round keys in reverse order). It has no meaning in a cryptographic sense. 
Round function: 

Fig. 2 shows an overall block diagram of a preferred embodiment of the round 
function/ First a part of the round key, of for instance 32 bits, is added to the data bits in step 
210. Next, in step 220, the S-boxes perform a non-linear substitution, preferably providing an 

10 optimal (local) resistance against differential and linear cryptoanalysis. In addition, 

preferably the non-trivial (local) characteristics with a predetermined maximum probability 
are made (round) key dependent, as described below in more detail. Finally, in step 230 a 
linear transformation is used to provide a high diffusion over multiple rounds. Any suitable 
linear transformation may be used. The linear transformation is not the subject of the present 

1 5 invention and will not be described in detail. 

The Feistel structure puts no restrictions on the surjectivity of the round 
function. However, preferably the round function is bijective for every choice for the fixed 
(round) key. This avoids attacks based on the non-uniformity of the round function. 

Fig. 3 provides more details of a preferred arrangement incorporating the S- 

20 box according to the invention. In this exemplary system the round function /is a mapping 
from Z2 40 x Z 2 32 to Z2 32 . The first input argument is the round key Ki € Z2 40 , the second one 
the right half of the intermediate result X^. The output is denoted by/Kj, Xi-i (R) ) e Z2 32 . In 
this figure, Ki (l) e Z 2 32 and K, (2) e Z 2 8 are defined as Ki =: (Ki (1) || Ki (2) ). In step 210, the key 
addition takes place, followed in step 220 by a key dependent Substitution box (S-box) layer 

25 is used. In this example, the S-box layer consists of eight smaller S-boxes (So, Si, S2, ... , S7), 
each operating on 1/8 of the data block. The S-box transformation is a mapping from Z2 8 x 
Z2 32 to Z 2 32 , the first input argument in round i is the round key Ki (2) , the second one the 
result of the key addition, i.e. Xi-i (R) © K^l The 32 bit output of the S-box transformation is 
denoted by S(K, (2) , X,-i (R) © K, (1) ). A detailed description of this mapping will be given 

30 below. Finally, in step 230 a suitable linear transformation from Z2 32 to Z2 32 is applied. The 
input is S(Ki (2) , X M (R) © K, { \ its output is denoted by L(S(K, (2) , X m (R) © K| (1) )). With this 
notation the function /is given by: 

XK i5 X,! (R) ) = L(S(K/ 2) , Xn w © K t (1) )). 
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S-boxes: 

According to the invention, an S-box performs a substitution of the data. In a 
preferred embodiment described here, the S-box operates on a 4-bit sub-block. It will be 
appreciated that also sub-blocks of other sizes can be used. According to the invention, for 
5 each S-box a set of at least two predetermined permutations is used, where each time before 
using the S-box one of these permutations is selected in a (pseudo-)random manner. 
Preferably, the round key is used for this selection. In a preferred embodiment, each S-box is 
associated with two permutations, where one predetermined bit of the round key is used to 
select which of both permutations is used. Using relatively small S-boxes, such as ones 
10 operating on 4-bit sub-blocks, will normally require a row of parallel S-boxes, each being 
associated with a respective set of at least two non-linear permutations. In a preferred 
embodiment of a block cipher operating on 32-bit blocks and using 4-bit S-boxes, eight S- 
boxes are used in parallel, each of which consists of two permutations. For this embodiment 
the following notation is used. Let the bits in the first input argument Kj (2) of the S-box 
15 transformation be denoted by k/ 0 (j = 0,1, ..,,7), i.e. Kj (2) =: (k 0 (i) , ki® ... , k 7 (i) ). The vectors 
Nj (i) e Z2 4 (j = 0,1, .. ,7) are defined as © Ki (I) =: (N 0 (i) || N/ 0 || ... || N 7 (i) ). The S-box 
mapping consists of a concatenation of eight mappings Sj : Z2 x Za -> Z2 4 (j = 0,1 ,...,7). The 
first input argument is the key bit k/ !) , which selects which of the two permutations for Sj is 
used. The second input argument is Nj (l \ which is the input for the selected 4-bit permutation 
20 for Sj. The corresponding 4-bit output of this permutation is also the output of the S-box, and 
is denoted by Sj(kj (l) , Nj (l) ). With this notation the function S is given by: 

S(Ki (2) , Xm^ S K^) = ( So(k 0 (0 , N 0 (i) ) || S l (k I (i) , N^) || ... || S 7 (k 7 (i) , N 7 (l) ) ). 

Differential and linear characteristics of a permutation: 

The following design criteria are preferably used for the individual 

25 permutations: 

1 . Resistance against differential cryptoanalysis: the maximum non-trivial 
value in the XOR distribution table equals a predetermined maximum. Assuming 4-bit 
permutations this maximum is 4, i.e. each non-trivial differential characteristic has a 
probability of at most V4. The concept of differential characteristic and XOR distribution table 

30 is generally known. It has been described publicly for the first time in 1990 by Biham and 
Shamir, for instance in "Differential Cryptoanalysis of DES-Like Cryptosystems", Journal of 
Cryptology, Volume 4 (1), 1991, pp 3-72. 

2. Resistance against linear cryptoanalysis: the maximum non-trivial absolute 
value in the linear approximation table equals a predetermined maximum. Assuming 4-bit 
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permutations, this maximum is 4, i.e. each non-trivial linear characteristic has a probability 
between l A and Z A. The concept of linear characteristic and linear approximation table is 
generally known. It has been described publicly for the first time by Matsui, A description is 
given in E. Biham, "On Matsui's Linear Cryptoanalysis", EUROCRYPT'94, LNCS 950, 
5 Springer, 1995, pp. 341-355. 

Preferably each permutation meets both of these requirements. Above criteria 
are described in detail for 4-bit non-linear permutations. It can be proven that these criteria 
are optimal for 4-bit permutations, i.e. there exists no 4-bit permutation with a maximal non- 
trivial XOR distribution table value smaller than 4, and there exist no 4-bit permutation with 

1 0 a maximal non-trivial absolute value in its linear approximation table that is smaller than 4. 

Permutations meeting above criteria can be created by randomly generating a 
permutation and testing whether the generated permutation meets the criteria. Also other 
suitable techniques may be used, like exhaustive search until a suitable permutation is found 
or using (mathematical) construction methods. One particular example of a construction 

1 5 method is based on the inversion mapping in the finite field with 2 n elements, with zero 
mapped to itself, and can be found in K. Nyberg, "Differentially uniform mappings for 
cryptography", EUROCRYPT' 93, LNCS 765, Springer, 1994, pp. 55-64. The corresponding 
criteria satisfied by the n-bit S-boxes constructed according to this method, with n even, are 
given by: 

20 1 . Resistance against differential cryptoanalysis; the maximum non-trivial 

value in the XOR distribution table equals 4, i.e. each non-trivial differential characteristic 
has a probability of at most 4/2 n . 

2. Resistance against linear cryptoanalysis: the maximum non-trivial absolute 
value in the linear approximation table equals T }1 , i.e. each non-trivial linear characteristic 

25 has a probability between l / 2 - 1/2" 72 and V* + 1/2^ 

It is easily seen that these criteria generalize the ones given above for 4-bit 
permutations. It is well-known that applying any invertible affine mapping (over Zz n ) on all 
input elements and/or on all the output elements of an n-bit S-box does not affect its 
maximum non-trivial XOR value or its maximum non-trivial absolute value in its linear 

30 approximation table. In this way a number of S-boxes satisfying above criteria can be 
constructed from a single S-box. 

According to the invention an S-box is associated with at least two non-linear 
permutations. The permutations in the set have been selected such that they compensate each 
other's weaknesses. This will be described in more detail for the differential and linear 
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characteristics respectively. The additional criteria will be illustrated using an S-box, e.g. So 
with the following two permutations: 
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5 The rows 0 and 1 represent the output of the two permutations, corresponding 

to the input defined by the column number. In the following, these two permutations will be 
denoted by Po and Pi respectively. Both input and output are given in hexadecimal notation. 
For instance, if the first permutation is selected (i.e. ko W = 0), and N 0 W - 3 then the output 
equals 9, i.e. So(0,3) = 9. Similarly, So(l s 3) = f. Assuming eight parallel S-boxes, each 
10 associated with two permutations specific for that box, a total of 16 different permutations 
need to be generated. Preferably, each of those permutations meets all criteria given above. 
According to the invention, the permutations belonging to one S-box, as a set, also meet at 
least one, and preferably, both of the criteria given below. 

Differential characteristics of a set of permutations: 
15 A set of permutations for one S-box satisfies the following criterion: 

If a non-trivial differential characteristic in one of the permutations has 
maximum probability, then this differential characteristic has a lower probability in at least 
one of the other permutations. 

It will be appreciated that in this way the weakness in one of the permutations 
20 is compensated by a strength in one of the other permutations. Preferably, the lower 

probability is zero, optimally compensating a weakness. The preferred criterion, therefore, 
for a pair of 4-bit permutations for one S-box is: if a non-trivial differential characteristic in 
one of the two permutations has probability l A, then this differential characteristic has 
probability 0 in the other permutation, i.e. each non-trivial (round)key-independent 
25 differential characteristic of an S-box has a probability of at most 1/8. 

To illustrate that the two described permutations Po and Pj meet this criterion, 
their XOR distribution tables are given below. The entry in row a and column (3 in the XOR 
distribution table of Pi (with cc,P e Z2 4 ) is denoted by X\ a ^ and is defined as: 

X,^ := #{ x e Z 2 4 1 P,(x) © Pi(x © a) - P }, i - 0,1. 
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I.e. Xi a,p equals the number of input pairs with difference a that causes a difference p in the 
corresponding output pair for the permutation P t . 



XOR distribution table of P 0 
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5 

The probability for a given (local) differential characteristic, i.e. the 



probability that an input difference a causes an output difference p (denoted by a-»p), can 
be found by dividing the corresponding entry by the total number of input pairs with the 
given input difference. This total number of input pairs equals sixteen for 4-bit permutations, 
10 so the probability that oc->p is given by X^^/^. Note that the entries in the first row and 
column of these tables represent the trivial characteristic, i.e. 0— >0 with probability one, 
which always holds for permutations. It is easily seen that all other (non-trivial) differential 
characteristics have probability smaller or equal to Ya, since the maximum value over all other 
entries equals 4 for both permutations. 
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XOR distribution table of P 
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The compensation effect can, for instance, be seen by considering the 
characteristic 7-*5 for both permutations. For P 0 the probability that 7->5 equals X 0 7 ' 5 /16 = 
"A for P, this probability is given by X, 7 - 5 /16 = 0. Preferably this compensation occurs for as 
many as possible elements. In the example, this holds for all elements with the maximum 
XOR difference value of four. Using well-known techniques for generating and testing 
permutations, a person skilled in the art can create eight such pairs of permutations within a 
few days for 4-bit permutations. Alternatively, a different pair of permutations P 0 * and P,* 
satisfying the criteria can be constructed from P 0 and P! by e.g. applying an affine 
transformation on the output of both of these permutations. This cane be done by selecting a 
non-singular 4 x 4 matrix A over Z 2 and a vector b e Z? and defining P 0 *(x) := Po(x)A © b 
and P,*(x) := Pi(x)A © b for all x e Z^. It can be easily verified that in this way 322560 
different (ordered) pairs of permutations can be constructed, each of which satisfies all above 
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criteria. Note that one of these transformations is the identity mapping from Z^ 4 -> z/, i.e. 

P 0 *=Po andPi*=Pi. 

Linear characteristics of a set of permutations: 
A set of permutations for one S-box satisfies the following criterion: 
5 If a non-trivial linear characteristic in one of the permutations has a probability 

with a maximal absolute difference from l A, then this linear characteristic has a probability 
that is closer to V% in at least one of the other permutations. 

It will be appreciated that in this way the weakness in one of the permutations 
is compensated by a strength in one of the other permutations. Preferably, the corresponding 
10 probability in one of the other permutations equals !4, optimally compensating a weakness. 
The preferred criterion, therefore, for a pair of 4-bit permutations for one S-box is: if a linear 
characteristic in one of the two permutations has probability Vi or then this linear 
characteristic has probability V% in the other permutation, i.e. each (round) key-independent 
linear characteristic of an S-box has a probability between 3/8 and 5/8. 
1 5 To illustrate that the two described permutations Po and Pi meet this criterion, 

their linear approximation tables are given below. The entry in row a and column (3 in the 
linear approximation table of Pj (with a,(3 e Za) is denoted by Li a,(3 and is defined as: 

:=#{x e Z2 4 |x-a = P,(x).p } - 8, i = 0,l. 
I.e. for the permutation Pj, L, a,p represents the number of inputs for which the linear relation 
20 on the input bits defined by a equals the linear relation on the corresponding output bits 

defined by p minus 8, which is the ideal number for 4-bit permutations (more generally, the 
ideal value is 2 n ' [ for n-bit permutations). 
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Linear approximation table of Po 
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The probability for a given (local) linear characteristic, i.e. the probability that 
the linear relation on the input bits defined by a equals the linear relation on the output bits 
5 defined by (5 (denoted by a-*P), equals V4 + L^/16. Note that the entries in the first row and 
column of these tables represent the trivial characteristic, i.e. 0-*0 with probability one, 
which holds for any mapping. It is easily seen that all other (non-trivial) differential 
characteristics have probability between % and %, since the minimum and maximum value 
over all other entries equal minus four and four respectively for both permutations. 
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Linear approximation table of Pi 
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The compensation effect can, for instance, be seen by considering the linear 
characteristic 2->3 for both permutations. For P 0 the probability that 2->3 equals K + L 0 2 ' 3 /16 

5 = %, for P, this probability is given by V, + L, 2 ' 3 /16 = K. Preferably this compensation occurs 
for as many as possible elements. In the example, this holds for all elements with the 
maximum absolute value of four. Using well-known techniques for generating and testing 
permutations, a person skilled in the art can create eight such pairs of permutations within a 
few days for 4-bit permutations. Alternatively, a different pair of permutations P 0 * and P,* 

10 satisfying the criteria can be constructed from P 0 and P, by e.g. applying an affine 

transformation on the output of both of these permutations. This cane be done by selecting a 
non-singular 4 x 4 matrix A over Z 2 and a vector b e Z 2 4 and defining P 0 *(x) := Po(x)A © b 
and P,*(x) := Pi(x)A © b for all x e Zz 4 . It can be easily verified that in this way 322560 
different (ordered) pairs of permutations can be constructed, each of which satisfies all above 
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criteria. Note that one of these transformations is the identity mapping from Za -» 2a , i.e. 



